Java at 20 Years, Part 1: What’s In a Name?

More on This Topic:

Unless you've been coding in a cave you know that Oracle is marking the 20th anniversary of the release of the first version of Java for public use, which happened on May 23, 1995. Big O has set up a nice Web site with lots of links to articles and video clips commemorating "20 years of Java innovation." If you haven't checked it out, you should.

I've talked with a bunch of people this week about Java's big birthday, including the person credited with naming it. Twenty years ago, Kim Polese served as the original product manager for Java at Sun Microsystems. She left the company in early 1996 to found Marimba, one of the first Internet-based software management companies, with former Sun engineers Arthur van Hoff, Jonathan Payne, and Sami Shaio. She later served as CEO of SpikeSource, an automated software testing company acquired by Black Duck in 2010. She is currently the chairwoman of ClearStreet Inc., a social finance startup focused on "helping people eliminate debt and achieve long-term financial health," and CrowdSmart, which enables university alumni and students to "collaboratively engage, support and profit from alma mater startups."

When it was 'Oak'
Polese spent about seven years at Sun, during which time she worked on the overall development and promotion of the Java brand, including its business strategy, licensing model, marketing communications, and developer evangelism. She first saw Java (then called "Oak") at an internal Sun conference.

"I got a sneak peek of Oak on a device called the Star 7, which had been created to demonstrate the vision behind the language," she told me. "At the time I was the product manager for C++ and object oriented technologies at Sun. Once I saw Java and I realized it's power, I came on board as the product manager."

When it was originally conceived, Java was called a "Green" or "Project Green," depending on whose memory you trust, and Sun actually spun out a separate, wholly owned organization to tackle it. That organization was called FirstPerson, Polese recalled.

"We were housed in a different location from the mothership, in downtown Palo Alto, at 100 Hamilton Ave., which is where Palantir is now," Polese said. "Very few people at Sun knew we existed."

In her new role, Polese's responsibility was a daunting one: to make Java ubiquitous. "I remember feeling the enormous responsibility of my job, because I knew well the potential of this technology," she said. "On the team, our goal was simple: ubiquity or go home."

Former Sun CEO Scott McNealy had begun proclaiming that "the network is the computer" back in the late 1980s, but even by the time Java debuted, the network -- the Internet -- was still limited and primitive.

Way Ahead of its Time
"Java was a language that was designed for a future networked world didn't exist back in the beginning of the 90s," Polese said. "The World Wide Web and Mosaic were infant technologies back then. Quite simply, Java was way ahead of its time."

And yet, it would be Java's role as a tool for building Web technology that initially defined the language. In those early days, Java was all about applets, Polese said.

"Up until we released Java in May 1995, Web pages could only contain static text," she said. "You could only hyperlink to other Web pages containing static text. Java brought interactivity to the Internet. For the first time you could actually run little applications -- "applets" -- in Web pages."

Before Java was released to the world, Sun worked with individual developers at companies, universities and research institutions, encouraging them to write the first applets to provide more than a tumbling Duke animation, Polese recalled. The idea was to demonstrate Java's power.

"These were some very exciting examples that, when people saw them for the first time, made clear the power and potential of Java," she said. For example, one developer from Lawrence Livermore Labs created an app that displayed the image of a human body; when you moved the cursor over the body you would see MRI slices generated in real time. This app pointed to the potential for doctors to collaborate to diagnose diseases remotely. Another applet from a developer at a Wall Street firm was a spreadsheet calculating the value of an individual's net worth based on their stock portfolio, again, in real time. This pointed to the potential for applications in financial services. These were just a couple of the early examples, but they were critical in demonstrating to the world the power and potential of Java when it was released."

Ultimately, Java's first decade would be about enterprise applications and enabling the first generation of the commercial Internet, Polese said. Not surprisingly, her first company, Marimba, pioneered enterprise application deployment and management based on Java.

"For the first time, companies could develop and deliver platform-independent enterprise applications and remotely manage them to any desktop or device inside or outside the firewall, securely and reliably," she said. "This was a huge breakthrough for enabling the ubiquitous adoption of the Internet as a platform for doing business."

Nearing Ubiquity
Now at the end of its second decade, Java isn't exactly ubiquitous, but it's a lot closer -- thanks in no small part to the advent of the Android OS, Polese said. "Java was designed for a future world in which a ubiquitous network would connect us all to each other and to unlimited numbers of devices and embedded systems," she said, "a network that would also connect those devices to each other (a.k.a. the Internet of Things.) With Android, Java is now in billions of devices, and this vision is being fully realized."

So, how did Java get its name? "Oak" (from a tree outside Gosling's office) was popular internally, but Polese felt that the fledgling language needed a moniker that conveyed the idea of waking up the Web. Two brainstorming sessions produced several possibilities, including "Ruby," which would have stood for Runtime Bytecodes, and "WRL" for Web Runner Language. (Web Runner was the name of the browser before it was called HotJava.) "Java" emerged from a riff on the word "caffeine," Polese said.

"We were bringing interactivity to the Web pages," she said, "essentially waking them up with the introduction of applets, so I thought Java would be the best name. But that was not a unanimously held view on the team. In fact, when I held a vote, there was no clear winner. In the end, as product manager, it was my responsibility to choose the name, so I went with Java. I then asked Eric Schmidt, who was running the team at the time, for his thumbs up, which he gave. We had Mark Andersen Design create the logo, and Java turned out to be one of the iconic and enduring brands of the Internet and the connected experience."

More of my conversations with Java mavens about the language and platform at 20 in Part 2.

Posted by John K. Waters on 05/22/2015 at 4:32 AM0 comments

Oracle's 2.5-Year Effort to Re-engineer APEX Bears Fruit

It's probably the most popular development tool you've only kinda-sorta heard of. Oracle's Application Express (APEX) rapid Web app development tool has been around for more than a decade in one form or another, and it enjoys enormous popularity within the Oracle community. The latest incarnation, APEX 5, was released last month. The company spent two years and seven months re-engineering the tool, and according to its creator, Michael Hichwa, vice president of Oracle's Software Development group, it was time well spent.

"This release took us a lot longer than usual," Hichwa told me. "In fact, it was the longest period between updates in the history of APEX, and it included three beta programs. We had a bigger objective this time, and we wanted to get it right."

Hichwa has been leading the APEX team since he developed the tool in 1999. Back then, it was really just him, but today there's a team of about 18 developers working on the tool, he said, and a community of about 300,000.

That number may not seem that high when compared with the communities of Java or PHP developers, but they are a devoted bunch. "From the beginning, we've been community-based," Hichwa said. "We get our momentum and excitement primarily from the community, not from Oracle. In fact, our best conferences are run by our user communities."

Formerly called HTML DB, APEX comes with all Oracle databases, starting with Oracle 11g, and is installed by default as part of the core database install at no additional cost. It's a browser-based environment "that combines the qualities of a personal database, productivity, ease of use, and flexibility with the qualities of an enterprise database, security, integrity, scalability, availability and built for the Web," the company says on its Web site.

The tool is popular in IT departments among those running ERP and CRM applications; they use it to extend and fill gaps. But in recent years, APEX has gained traction for line-of-business development -- sales, finance, procurement and so on. "They all have their particular needs for automation within their business groups," Hichwa explained. "Because APEX has a lower bar, technically, business-area experts who are not full-time professional developers, but who are technical, can use it. These are people who can get their heads around a SQL statement and understand the data model. APEX allows them to create a high-quality Web application quickly, without having to dive deeply into the computer science realm."

Hichwa, who, even after more than 10 years on this project, was fairly bursting with a genuinely infectious enthusiasm for this release, said that more books have been written about APEX than any other Oracle technology (20 books, by my count). Expect to see a lot more later this year covering APEX 5. "We'll be writing a few of them ourselves," he said.

APEX 5 is brimming with enhancements, including Universal Theme, an all-new UI for APEX apps. It's simpler than previous themes and more easily customizable, and it addresses the growing need to build modern, responsive, sophisticated apps without requiring expert knowledge of HTML, CSS or JavaScript, Hichwa said. The new UI also includes a new color palette; icons for easy, visual identification; intuitive workflow-based menus; and improved keyboard and accessibility support.

This release also comes with Page Designer, a new IDE designed to enhance developer productivity for prototyping, design, development and maintenance of APEX apps. The IDE provides a drag-and-drop interface for rapid development of app pages. And an enhanced code editor provides SQL and PL/SQL validation with inline errors, auto completion, syntax highlighting, search and replace with regex support, and undo and redo support.

The list of enhancements also includes new a mobile reporting capability; support for modal and non-modal dialogs; a new calendar; and a collection of Packaged Applications -- 19 APEX apps that can be used out-of-the-box and are supported by Oracle.

A complete list of APEX 5 enhancements and details can be found here.

Posted by John K. Waters on 05/11/2015 at 10:41 AM0 comments

Java Security: It's a Multilayer Problem

Things have quieted down quite a bit on the Java security front during the last year or so. Rare these days are the heart-stopping revelations of zero-day vulnerabilities; and fewer are the grumbling editorials about the lack of end-user update hygiene. (Although, as far as I'm concerned, that issue is still quite grumble-worthy.) Oracle's click-to-play feature was at least partly responsible for a 2014 in which there were no major zero-day Java vulnerabilities discovered and exploited in the wild.

Which is great, but not the end of the Java security story. As long as Java's enormous popularity in the enterprise continues, it's going to be an alluring target, Java security expert John Matthew Holt reminded me recently.

Holt is the CTO of Waratek, a company specializing in Java security, so you could argue that he has vested interest in Java insecurity. But he's right to point out that the Java stack has more than one layer. Even if you manage to keep up with Oracle's patch schedule for the Java platform layer, you still have to deal with the app server layer, the libraries and the business logic. And update schedules vary. For example: Oracle releases Java security fixes on the Tuesday closest to the 17th day of January, April, July and October; Apache releases Struts patches every 72 days.

"I give great credit to Oracle for addressing the vulnerabilities in the Java Platform layer," Holt said. "That's kind of a never-ending battle. Even if an organization manages to keep up with the Java security fixes, the vulnerabilities shift to somewhere else in the software stack."

For example: By my count, there have been 10 Struts vulnerabilities reported over the past two years with a CVSS rating of 9 or 10, which is very high and marks them as critical.

Holt is an enthusiastic proponent of Runtime Application Self Protection, or RASP, which Gartner has defined as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Holt's company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).

"RASP is something very different," he said "We've never had a tool that lives inside the runtime and has the benefit of real, accurate, actionable intelligence about what the application is doing."

Holt's Dublin-based company also recently unveiled its new security technology I wanted to mention called the Taint Detection Engine, which is designed to detect and block SQL Injection attacks without generating false positives or relying on heuristics. The Taint Engine (Pipe down you snickering fifth graders!) is part of the company's AppSecurity for Java product.

As I'm sure you know, a SQL Injection involves inserting malicious SQL statements into an entry field for execution. A successful attack can, among other things, read and modify sensitive data and execute administration operations on the database. Depending on which analyst to pester until he/she emails you back just to shut you up, SQL Injection is responsible for as much as 80+ percent of the records stolen in hacking incidents. It's often at the top of most wanted list at OWASP and the SANS Institute. (OWASP has published a "Cheat Sheet" on SQL Injection that's worth reading.)

"It's insidious," Holt said. "Developers can download these kinds of libraries easily, and incorporate them into their applications. Their managers are happy because they delivered the product on time, but they've got all this code that the organization didn't write, didn't put up to a static analysis tool, didn't get results from, and hasn't been reviewed."

The AppSecurity for Java product performs transparent taint detection and validation of each character in a SQL query in real-time within the JVM. It's a cool product and worth investigating. Waratek went to SaaS and software security consultancy BCC Risk Advisory to have the above claims independently verified. Here's a link.

Posted by John K. Waters on 04/08/2015 at 10:32 AM0 comments

JFrog Adds Docker Support for its DaaS Platform

JFrog has joined the ever-expanding Docker ecosystem with new support for the container technology in its Bintray distribution-as-a-service (DaaS) platform. Developers use the popular platform to publish, download, store, promote, and share open source software packages.

I think it's fair to call Bintray "popular," because it won a Duke's Choice Award at JavaOne, and it's currently serving 125,690 packages in 39,981 repositories. Then there's the sexy customer list, which includes Apple, Netflix, Twitter, and Oracle.

The France-, US-, and Israel-based JFrog bills Bintray as a self-service platform that gives developers full control over their published software and how it's distributed. Fred Simon, JFrog's cofounder and chief architect, described Bintray as a "seasoned cloud platform," when I Skyped with him earlier this month. "Thousands of developers and DevOps teams use Bintray," he said.

The added Docker support in the new version makes it possible for organizations to create an unlimited number of private Docker repositories, Simon explained. The platform uses the Akamai content delivery network to decrease the download time of large Docker repositories, which speeds up DevOps efforts, he said.

Bintray works hand-in-glove with the company's flagship product, the cloud-based Artifactory binary repository manager (another Duke's Choice winner). Artifactory was one of the first binary repository management solutions. It integrates with the open-source Jenkins continuous integration (CI) server, Atlassian's Bamboo CI, JetBrains' TeamCity build and CI server, the Gradle and Apache Maven project automation tools, and the NuGet package manager for .NET, among others.

JFrog announced support for private Docker Registries in Artifactory last November. The Bintray support was an inevitable next step, Simon told me. "Artifactory is there to aggregate and manage the containers that you are creating, managing, or using; Bintray is really the place to publish and distribute those containers," he said. "You now have an end-to-end solution for many binary or package types."

The company's CEO, Shlomi Ben Haim, called support for Docker "a natural progression of JFrog's mission to provide agnostic, enterprise-grade support for every stage and aspect of code development and deployment."

JFrog launched a new commercial version of its Bintray last year. Bintray Premium supports "premium repositories," with unlimited storage and downloads, full download stats, access control, and download tracking, among other features.

JFrog is just the latest toolmaker to join in the warp-speed expansion of the Docker ecosystem. Containerization and microservice architectures are gaining serious traction in the enterprise, because container-based infrastructures continue to make life easier for the developers who adopt them. As the every insightful IDC analyst Al Hilwa puts it: "The level of ecosystem support Docker has gained is stunning, and it speaks to the need for this kind of technology in the market and the value it provides."

Posted by John K. Waters on 03/25/2015 at 9:17 AM0 comments

EclipseCon 2015 Wrap-Up

The San Francisco EclipseCon saw some interesting product/project announcements. From the Foundation itself came the milestone releases of two key IoT projects: Paho 1.1 and Mosquitto 1.4. They were actually released ahead of the conference, and I reported on them here. I wanted to highlight some other announcements to come out of the conference.

The Xtext project released version 2.8 of its open source framework for developing programming languages and domain specific languages (DSLs) at the show. The Xtext project combines a generic DSL infrastructure with an editor and a code generator written in Xtend, a Java dialect that compiles to Java 5-compatible source code, which means it can use existing Java libraries. Xtend is now a stand-alone Eclipse project.

The latest release of Xtext, which will be part of the Mars release train in June, comes with 180 bug fixes and big performance improvements, and a bunch of cool new features. It's a long list that includes new support for whitespace-aware languages, such as Python; grammar editor enhancements; new options for language code generation, including the ability to specify annotations to be added to each generated Java class; support for a new version of the Xbase compiler that allows developers to configure the Java version of the generated code; a new Java-to-Xtend converter; and a new formatter API.

The complete list of changes in Xtext 2.8 is available in the release notes.

Java toolmaker ZeroTurnaround released its Optimizer for Eclipse at the show. The free Eclipse plugin is designed to detect and fix common performance hiccups and configuration problems associated with the Eclipse IDE. The company is addressing what it sees as a common problem for Java developers, most of whom use the Eclipse dev tool.

"What Java developer hasn't, at some point in time, thought 'Wow, my Eclipse is really slow today?' " asked Jevgeni Kabanov, founder and CEO of ZeroTurnaround, in a statement. "We wanted to make coding in Eclipse more enjoyable by taking away the developer frustrations of a slow environment. We like to think of Optimizer for Eclipse as a jetpack for your Eclipse environment."

The plugin performs checks on configuration issues that negatively affect "the IDE user experienc" -- everything from insufficient memory allocation to class verification overhead, excessive indexes and history to lengthy build and redeploy times. Users can set the plugin to fix the type of problem automatically to speed up the performance of the IDE. It can also suss out a slow JDK and let users know if their IDE is out of date.

Codetrails announced the alpha release of its very cool Codecity for Eclipse at the show. This is an Eclipse plugin that calculates source code metrics and then provides a visualization of those metrics in the form of a navigable 3D map of a city block. It's a striking representation of data that emerged from the Codecity Project, which was developed at the Università della Svizzera italiana until 2010. These images communicate a ton of information instantly -- which, of course, is the purpose of these kinds of visualizations.

It works from within the IDE, providing users with a "Show in >> Codecity" option in the context menu. The metrics are computed in the background and then displayed in a browser window. The list of metrics supported by the plugin includes: number of declared methods, number of declared fields, number of problem markers, and number of commits. This last metric requires projects to be connected with an Eclipse team provider, the company says.

Codecity is a work in progress, but well worth checking out. It's available from the Eclipse Marketplace.

Posted by John K. Waters on 03/16/2015 at 1:33 PM0 comments

Java 9 Deep Dive at EclipseCon 2015

The Java community is still rolling around in the awesomeness of the long-awaited Java 8 release, with its support for lambda expressions, virtual extension methods and streams, compact profiles, the new the date/time API and so much more (but mostly that stuff). It was the largest-ever upgrade to the programming model, and by some accounts, it has been the most rapidly adopted update in the history of the platform.

But, you ask, what about Java 9?

Mark Reinhold, chief architect of Oracle's Java Platform Group, offered attendees at EclipseCon 2015, which wrapped on Thursday, a deep dive into the Even Cooler Java update, coming sometime next year.

The big change in Java 9, as everyone knows, is modularity, as laid out in Project Jigsaw, the oft-deferred capability that aims to make it possible for Java developers to create apps that don't need to lug around the entire environment. A Jigsaw module is a collection of Java classes, native libraries and other resources, along with metadata.

"From the beginning, the Java SE platform has been this huge monolithic thing," Reinhold said. "Even if you wanted to use just a small part of it, you had to install all of it." It has been difficult to run Java SE on small devices, he observed, but it has also been a pain on large devices and in some cloud environments. "What we want is a box of Lego parts [which are] modular that we can assemble as needed," he said.

The introduction of compact profiles in Java 8 was a "baby step" toward relieving some of that pain, Reinhold said, but Java 9 "will be composed of a set of finer-grained modules and will include tools to enable developers to identify and isolate only those modules needed for their application," he said.

Project Jigsaw comprises the three JEPs and a JSR. JEPs (JDK Enhancements Proposals) allow Oracle to develop small, targeted features for the Java language and virtual machine outside the Java Community Process (JCP), which requires full Java Specification Requests (JSRs).

  • JEP 200: The Modular JDK, defines a modular structure for the JDK. Reinhold described it as an "umbrella for all the rest of them."
  • JEP 201: Modular Source Code reorganizes the JDK source code into modules.
  • JEP 220: Modular Run-Time Images restructures the JDK and JRE run-time images to accommodate modules.
  • JSR 376: Java Platform Module System, the central component of Project Jigsaw, which defines the module system for the Java Platform.

Among other things, the modularization of Java will lead to the removal of the rt.jar files (runtime JAR), which Reinhold referred to as "a constant source of pain," in favor of compact profiles for a major reduction of the JVM footprint. (JAR files, he added, would be with us "until the heat death of the universe.") While the full JRE clocks in at 55Mb on a Linux ARM 32, Reinhold noted, compact1, the smallest profile, clocks in at 11Mb; compact2 is 17Mb, and compact3 is 30Mb. The modularization project will also lead to the elimination of the extension classpath and some reorganization of the lib path, he said.

Modularity will also improve security, he said. After "a bit of a rough period," Java security is now much better, but Java 9 will make it even better by making it possible to enforce strong modular boundaries -- defining what's internal to the module and what's external. Java 9 will also introduce a tool called jlink or the Java linker, which will make it possible to link modules to a single runtime.

"Vanilla Java is a dynamically linked environment," Reinhold said. "But when you are assembling modules into a one pile of bits that is custom JRE, you need a linker."

Of course, there's already a modular architecture for Java. The OSGi Alliance currently provides set of specifications that define a dynamic component system for the platform. Reinhold responded to the inevitable question about whether Java 9's new modular system will be compatible OSGi's modular architecture.

"We intend to explore ways of making standard Java modules available to other module systems," he said, but added, "We don't see how to achieve all of the goals we have for the module system if one of those goals is also to be completely compatible with OSGi."

Reinhold also looked into his crystal ball and speculated a bit on developments beyond Java 9. He touched on current efforts to improve Java's typing system and make the language more efficient at handling situations requiring identity less types via Project Valhalla , announced in August. He also pointed to Project Panama, which aims to improve the connections between the JVM and "foreign" non-Java APIs.


Posted by John K. Waters on 03/13/2015 at 1:55 PM0 comments

2 Open Source Eclipse IoT Projects Released Ahead of EclipseCon 2015

The San Francisco edition of the Eclipse Foundation's user conference, EclipseCon 2015, gets under way next week (March 9-12). I'm looking forward to catching some sessions and keynotes on a range of topics, but I'm particularly intrigued by the foundation's activities around the Internet of Things (IoT). The Eclipse IoT momentum just keeps building. In fact, two open-source projects that are part of that effort, Eclipse Paho and Eclipse Mosquitto, announced new releases this week.

Both projects -- Paho 1.1 and Mosquitto 1.4 -- implement the client and broker for the OASIS Message Queuing Telemetry Transport (MQTT) protocol. The MQTT protocol is designed to connect physical world devices and networks with applications and middleware. It has been widely adopted by IoT solution providers, largely because of its small footprint, minimal bandwidth requirement for messages, and its ability to adapt to unreliable network connections -- all essential qualities for an IoT protocol.

Ian Skerrett, the Foundation's vice president of marketing, who has been leading the Eclipse effort to foster an open-source community around IoT, told me that providing open-source implementations of MQTT has been something of a project focus. Interest in these two projects in particular has been high in the community, Skerrett said in an email, and the Foundation considers their release to mark "a pretty big milestone."

The Eclipse IoT Project aims to establish an open platform for IoT and machine-to-machine (M2M) communication that combines a set of services and frameworks, open-source implementations of standard protocols, and an Eclipse-based IDE for IoT/M2M development.

The Paho Project provides scalable open-source client implementations of open and standard messaging protocols for IoT/M2M apps. New in this release: support for .NET, WinRT, and Android clients; C and C++ libraries for embedded clients; updated versions of the Java, Python, and JavaScript clients to conform to the MQTT 3.1.1 standard. The new version is available for download now.

The Mosquitto project provides an open-source implementation of an MQTT broker. New in this release: easier integration with web sites through support for WebSockets; more flexible support for TLS v1.2, 1.1 and 1.0 f or enhanced security, plus support for ECDHE-ECDSA family ciphers; improved interoperability between MQTT brokers via better bridge support, including wildcard TLS certificates and conformance to MQTT 3.1.1. The new version is also available now for download.

"In the last year we have seen tremendous interest in the Eclipse IoT community, and in particular Paho and Mosquitto," said the Foundation's executive director Mike Milinkovich, in a statement. "Forty developers contributed to the new Paho and Mosquitto releases, demonstrating incredible interest for these projects and MQTT in general."

The Eclipse IoT project has evolved fairly quickly into a full-fledged community that is currently 15 projects strong. In addition to the MQTT protocol, those projects implement Lightweight M2M and CoAP, as well as several IoT-friendly frameworks.

A complete list of Eclipse IoT projects is available on the Foundation Web site here.

Posted by John K. Waters on 03/06/2015 at 11:32 AM0 comments

Report: Oracle's Click-to-Play Feature Greatly Improves Java Security

During last October's JavaOne conference, I attended the post-keynotes Java panel, where leaders of the various Java organizations within Oracle, along with JCP chairman Patrick Curran, lined up at one end of the press room to answer reporters' questions. It's a traditional part of the event, this panel, and I've been to more than a few of them, so you'd think I would have noticed immediately the dearth of questions about the security of Java, which had kicked off the Q&A for the last few years. But it was Henrik Stahl, vice presidentof product management in Oracle's Platform Group, who observed at the end of the discussion that there had been no security questions at all.

I mentioned this later to Mike Milinkovich, the executive director of the Eclipse Foundation, who was on hand that day to lead a session. He was not surprised. "That's what happens when you have a squeaky clean year," he said.

I'm not sure I'd call 2014 "squeaky clean," but Java-based breaches -- not to mention headline -- were down last year. In fact, there were no major zero-day Java vulnerabilities discovered and exploited in the wild. Why? A new report released this week by HP Security Research offers at least part of the answer. The authors of "HP Cyber Risk Report 2015," (PDF) credited Oracle's click-to-play feature, introduced in 2014, for the improved security.

"Oracle introduced click-to-play as a security measure making the execution of unsigned Java more difficult," the report's authors wrote. "As a result we did not encounter any serious Java zero days in the malware space. Many Java vulnerabilities were logical or permission-based issues with a nearly 100 percent success rate. In 2014, even without Java vulnerabilities, we still saw high success rate exploits in other areas."

Click-to-play is the browser feature that blocks Java content by default. The Web page displays a blank space until the user clicks the box to enable that content. This seems to have mitigated the vulnerability of Java in the browser, which was largely the result of the way Oracle has bundled the Java browser extension with the Java runtime environment (JRE).

Among the exploits listed in the report's Top 10, none targeted Java, which had been one of the most commonly exploited targets in previous few years. "This may indicate that the security push, which caused delay in the release of Java 8, is getting some results," the researchers wrote, "although it may be too early to tell. It may also be a consequence of browser vendors blocking outdated Java plugins by default, making the platform a less attractive target for attackers."

The success of the click-to-play feature at thwarting Java attacks was "the one exception" in an "inherently vulnerable" environment in which systems are built on decades-old code, and patches are inadequately deployed, the researchers concluded. And that success may be responsible for shifting attacker focus to vulnerabilities in Microsoft's Internet Explorer and Adobe Flash.

"Attackers continue to leverage well-known techniques to successfully compromise systems and networks," the researchers wrote. "Many client and server app vulnerabilities exploited in 2014 took advantage of codes written many years back -- some are even decades old."

The most common exploit the researchers saw last year was CVE-2010-2568 (CVE: "Common Vulnerabilities and Exposures"), which accounted for just over a third of all discovered exploits. According to the CVE site, this vulnerability affects the Windows Shell in XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7. It allows local users or remote attackers to execute arbitrary code via a crafted .LNK or a .PIF shortcut file, which is not properly handled during icon display in Windows Explorer. Six Java exploits were listed, accounting for a total of 28 percent.

There's much more in this report -- things like a deep-dive into highly successful vulnerabilities, an awesome glossary, and a lot of revealing statistics. The report is free for download. I also recommend the HP Security Research Blog.

Posted by John K. Waters on 02/24/2015 at 4:40 PM0 comments

Bosch ProSyst Acquisition Good News for Java and OSGi

German Internet of Things (IoT) platform provider Bosch Software Innovations (BSI) is acquiring ProSyst, a Java- and OSGi-based software vendor specializing in middleware for the IoT, the two companies announced this week. BSI, a subsidiary of the Bosch Group, specializes in the development of gateway software and middleware for IoT.

ProSyst is a provider of middleware for managing connected devices and implementing Machine-to-Machine (M2M) cloud-based applications. The company's roots are in Java and the Open Service Gateway initiative (OSGi) specification, and it has focused mainly on open, modular, and neutral software platforms that services providers and device manufacturers can use to deploy apps and services.

ProSyst products serve as a link between devices and the cloud, and that link is essential for interconnecting buildings, vehicles and machines, said BSI president Rainer Kallenbach, in a statement.

"[T]he ProSyst software will enable our customers to launch new applications on the Internet of Things more quickly and be one of the first to tap into new areas of business," Kallenbach said. "The ProSyst software is highly compatible with the Bosch IoT Suite, our platform for the Internet of Things. Above all, it complements our device management component by supporting a large number of different device protocols. This will allow us to achieve an even better market position than before."

BSI will be acquiring, among other assets, the ProSyst device runtime stacks, tools, SDKs and remote device management/provisioning platforms. Bosch also takes on the company's approximately 110 Java/OSGi engineers.

"ProSyst has been the leading provider of OSGi implementations for embedded systems for many years," Mike Milinkovich, executive director of the Eclipse Foundation, told ADTmag in an e-mail. "A quick look at their customer reference page shows a pretty amazing list of accounts, including Bosch. And those are just the ones that [the company is] allowed to talk about. There are other, very significant players who embed the ProSyst OSGi technology, but prefer anonymity."

The ProSyst customer list includes, among others, Intel Cisco, AT&T and Deutsche Telekom.

Milinkovich believes that the acquisition signals the intention of Bosch to become a significant player in the IoT, with a particular focus on the industrial applications.

"To me, [the Bosch] acquisition of ProSyst means that Java and OSGi will be an important part of [the company's] strategy," Milinkovich said. "That is great news for both Java and OSGi. In particular, I see this as significantly increasing the likelihood that Java and OSGi will be fundamental technologies in the Industrial Internet."

Posted by John K. Waters on 02/19/2015 at 4:11 PM0 comments

Upcoming Events


Sign up for our newsletter.

I agree to this site's Privacy Policy.